In: Root » Business » Management
Conducting business has always been a risky proposition, and all businesses have some tools in place to manage risk. Companies insure against losses, institute safety, health, and environmental procedures, lobby governments, hedge currencies, trade commodity futures, and protect their IT systems with firewalls and other measures. But generally these decisions are silo-based: managed by plant managers, country managers, finance departments, and IT administrators. While these may have sufficed in the past, they are inadequate in the era of interdependent risk. No one department or business unit (or even one company) has the peripheral vision needed to manage these risks. What’s more, the trend in corporate governance reform over the past few years means that more corporate boards have new legal responsibilities for enterprise-wide risk management. Since the mid- 1990s and particularly after the accounting scandals at Enron, WorldCom, and others, standards bodies in Australia, New Zealand, Canada, Germany, the United Kingdom, and the United States have all emphasized the board’s responsibility in identifying and managing business risks. Facing greater risks, many businesses are at a loss, and ask questions such as: “What can we do about acts of God or terrorists?” or “Aren’t my competitors just as vulnerable as I am?” They may believe that they cannot afford to take risks, or, having taken risks already, they cannot afford to invest in risk mitigation, believing that it will increase their costs, slow them down, and make them less competitive. Managing risk, however, is about becoming more flexible and competitive, not less. Risk must be examined in the overall context of corporate strategy and market opportunity, but the old adage still applies, “There is no reward without risk.” As a result, companies are turning to strategic risk management to improve outcomes while continuing to actively engage a volatile global business environment. More than just a checklist of safety measures, a strategic risk management approach identifies the core processes that drive a company’s earnings and monitors both internal processes and external events to ensure that risk and reward are continually reevaluated and rebalanced. It is a dynamic approach demanded by a dynamically changing global business environment. The ultimate goal is, through an iterative process, to help companies evaluate their risk management process in the context of a structured “stages of excellence” approach. Rather than cataloguing all the possible risks a company might face, the first stage in strategic risk management is to understand the company’s internal processes in order to isolate the most relevant and critical risks. Once a company understands its own internal vulnerabilities, it can monitor the external environment for danger signs and then begin to create mitigation and contingency plans accordingly. While companies may not be able to prevent disasters, they can reduce the impact by understanding how their operations may be affected. The goal is not to eliminate risk altogether (an impossible proposition) but to develop operational resilience, foster the ability to recover quickly, and plot alternative courses to work around the disruption. While global corporations are vulnerable to many of the same risks, each company has a unique risk profile. There are five key steps in the development of this profile: Prioritize earnings drivers. The first step is to identify and then map a company’s earnings drivers, which provide operational support for the overall business strategy. These are the factors that would have the biggest impact on earnings if disrupted, and a shock to any one could endanger the business. For example, a financial services firm might depend on information technology to the extent that even 10 minutes of downtime could have a major impact on earnings. A consumer products company depends on its brand reputation. Identify critical infrastructure. The next step is to identify the infrastructure —including processes, relationships, people, regulations, plant, and equipment—that supports the firm’s ability to generate earnings. Brand reputation, for example, might depend on product quality control processes, supplier labor practices, and key spokespeople within the firm. Research and development might depend on specific laboratory loca tions, critical personnel, and patent protection. Again, every company is unique, and even companies in the same industry will prioritize their drivers differently. The goal is to identify the essential components required for the earnings driver. One way to do this is by asking, “What are the processes which, if they failed, would seriously affect my earnings?” Locate vulnerabilities. Having mapped the critical operational infrastructure, the next step is to identify the main vulnerabilities. What are the weakest links, the elements on which all of the others depend? It could be a single supplier for a critical component, a border that 80 percent of your products must cross to get to your key markets, a single employee who knows how to restore data if the IT system fails, or a regulation that makes it possible for you to stay in business. Vulnerabilities are characterized by: • An element on which many others depend; a bottleneck • Processes with no alternatives • Association with high-risk geographic areas, industries, and products (war or flood zones, or economically troubled industries, such as airlines) • Insecure access points to important infrastructure Notice that the focus is still on the internal processes rather than potential external events. In many ways, the impact of a disruption does not depend on the precise manner in which these elements fail. Whether your key supplier fails because of a fire in a plant, an earthquake, a terrorist attack, or an economic crisis, you may have the same response plan. Develop responses. After mapping its risk profile, a company will have detailed knowledge of its operational vulnerabilities and how these relate to its strategic goals and earnings. Simply understanding these vulnerabilities at the enterprise level will clarify critical decisions. The decision to move production from South America to China, for example, will have a clear impact on the company’s risk profile, as will a decision to adopt new corporate social responsibility standards. But completing a risk profile will also bring to light opportunities to reduce risk while at the same time indicating the value to be gained. Risk mitigation plans can be put into two broad categories: flexibility and redundancy. Flexible responses generally require advanced planning but little or no upfront investment and include: • Identifying alternate suppliers • Identifying alternate modes of transportation • Using products designed for rapid switching of components • Adopting manufacturing designs for rapid switching of products • Having multiple (flexible) locations for various tasks • Identifying additional production capacity • Cross-training employees Redundant solutions, on the other hand, generally require an investment in capacity that may not be needed and include: • Increasing inventory • Developing a cadre of alternate suppliers • Preparing back-up IT and telecom systems • Holding unused capacity • Fostering long-term supplier contracts Monitor the risk environment. For each vulnerability, there will be a number of potential responses. In order to evaluate which responses are most appropriate, it is necessary to look at the external environment. To be sure, some risks—notably, the wild cards, such as a worldwide pandemic or a simultaneous resurgence of terrorism in several countries—defy easy countermeasures. But most other risks—those that affect a specific country, region, or industrial sector—are manageable. By gauging the likelihood of various events, the company can evaluate how much to invest for each vulnerability. A company’s risk profile is constantly changing —economic and market conditions change, consumer tastes change, the regulatory environment changes, as will products and processes. It is essential that the company’s risk map change in tandem, implementing an early warning system so contingency plans can be activated as soon as possible. Although a detailed development of a company’s risk management profile is a fairly elaborate process, a simple self-assessment can quickly identify the largest gaps. Clearly, being able to reduce the costs of a disaster is a major benefit of risk management. But risk management is much more than an insurance policy that kicks in after disaster strikes. By understanding the relationship between corporate strategy and risk profile, corporations can ensure that they are not taking unnecessary risks, while at the same time reducing the potential impact of essential risks. Through flexibility and redundancy, companies can react quickly to changes in the marketplace, whether those changes are as common as varying consumer demand or as rare as political revolutions. The agility that results will ultimately allow corporations to maintain their equilibrium and come out on top, even in a world perpetually out of balance.
|
|||||||||||||
Disclaimer
1) E-articles is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringement, please read the terms of service and contact us or use the "Report this article" button on this page to investigate the problem.
2) E-articles is not responsible for inaccuracies, falsehoods, or any other types of misinformation this article may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. |
|||||||||||||
